# BOX Deployment Plan

Date: 2026-06-12

Target: `https://box.zweichain.net`

## What is ready

- Static landing page.
- Model Arena section.
- JavaScript low-resolution ring simulator.
- `robots.txt`, `sitemap.xml`, and `404.html`.
- Token metadata draft.
- Contract workspace.
- Static server support files.
- Nginx server-block template.
- Python/SQLite MVP arena API.
- Browser MVP console for tournament status, commits, and leaderboard.
- Open Graph/Twitter preview image, favicon, app icons, and web manifest.

## Server setup

1. Point DNS for `box.zweichain.net` to the selected server.
2. Create webroot:

   ```bash
   sudo mkdir -p /var/www/box.zweichain.net/current
   ```

3. Copy public static files from this `BOX` folder into the webroot.
4. Install or link `deploy/nginx/box.zweichain.net.conf`.
5. Run:

   ```bash
   sudo nginx -t
   sudo systemctl reload nginx
   ```

6. Enable HTTPS using the server's normal certificate workflow.

## Dynamic app option

For live tournaments and leaderboards, run the Python app behind nginx:

```bash
cd /var/www/box.zweichain.net/current
python app/box_app.py --host 127.0.0.1 --port 8088
```

Then proxy `/api/` to `http://127.0.0.1:8088`.

Public commits are closed by default in the systemd template:

```text
BOX_ENABLE_PUBLIC_COMMITS=0
```

Before opening commits on a public VPS, confirm rate limiting, moderation/log review, backup policy, and wallet-signature verification plan. Keep admin writes locked with `BOX_ADMIN_TOKEN` in a systemd override file, not committed to git.

Systemd template:

```text
deploy/systemd/box-arena.service
```

Typical install:

```bash
sudo cp deploy/systemd/box-arena.service /etc/systemd/system/box-arena.service
sudo systemctl daemon-reload
sudo systemctl enable --now box-arena
sudo systemctl status box-arena
```

Use static-only nginx until the arena needs real submissions.
Use Python app mode when you want the MVP console to show live tournament and leaderboard data.

## Do not upload

- `.env`
- private keys
- private model uploads
- `app/data/box_arena.db` unless intentionally migrating local test data
- hidden tournament test sets
- production `BOX_ADMIN_TOKEN`
- `node_modules/`
- Hardhat `cache/`
- Hardhat `artifacts/`
- personal notes not meant for public view

## Verify before DNS cutover

Run local static verification:

```powershell
powershell -ExecutionPolicy Bypass -File deploy/verify-static.ps1
```

After the server is live, check:

- `https://box.zweichain.net/`
- `https://box.zweichain.net/metadata/box.token.json`
- `https://box.zweichain.net/model-arena/box-model-manifest.schema.json`
- `https://box.zweichain.net/robots.txt`
- `https://box.zweichain.net/sitemap.xml`
- `https://box.zweichain.net/favicon.ico`
- `https://box.zweichain.net/site.webmanifest`
- `https://box.zweichain.net/assets/box-og-image.jpg`
- `https://box.zweichain.net/api/health` if the app service is enabled
- `https://box.zweichain.net/api/config` if the app service is enabled

For SNS/SMS preview checks, see `SOCIAL-PREVIEW.md`.

## Later

When the Unity sample source arrives:

- keep the current JavaScript simulator as a fast fallback,
- build Unity WebGL separately,
- publish WebGL only after load time, mobile layout, and model-arena integration are verified.